{"id":713,"date":"2023-10-24T06:41:10","date_gmt":"2023-10-24T06:41:10","guid":{"rendered":"https:\/\/victorcoil.tech\/?page_id=713"},"modified":"2026-04-19T17:31:01","modified_gmt":"2026-04-19T17:31:01","slug":"azure-honeypot-mapping-global-threats-in-real-time","status":"publish","type":"page","link":"https:\/\/victorcoil.tech\/?page_id=713","title":{"rendered":"Azure Honeypot: Mapping Global Threats in Real-Time"},"content":{"rendered":"\n<div class=\"wp-block-group is-layout-constrained wp-block-group-is-layout-constrained wp-container-1 is-position-sticky\"><div id=\"guten-FPlYHb\" class=\"guten-element guten-nav-menu nav-menu break-point-tablet submenu-click-title \" data-item-indicator=\"fas fa-angle-down\" data-item-indicator-type=\"icon\" data-item-indicator-svg=\"\" data-close-on-click=\"1\" aria-label=\"\">\n\t\t\t<div class=\"gutenverse-hamburger-wrapper\">\n\t\t\t\t<button class=\"gutenverse-hamburger-menu\" aria-label=\"\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\n\t\t\t\t<\/button>\n\t\t\t<\/div>\n\t\t\t\n\t\t\t<div class=\"gutenverse-menu-wrapper\"><div class=\"gutenverse-menu-container\"><ul id=\"menu-azure-honeypot\" class=\"gutenverse-menu\"><li id=\"menu-item-797\" class=\"menu-item-797  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=713\/#AzureVM\" aria-label=\"Honeypot Deployment\">Honeypot Deployment<\/a><\/li>\n<li id=\"menu-item-798\" class=\"menu-item-798  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=713\/#LogMS\" aria-label=\"Log Analytics Setup\">Log Analytics Setup<\/a><\/li>\n<li id=\"menu-item-799\" class=\"menu-item-799  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=713\/#VMScript\" aria-label=\"Geodata Extraction\">Geodata Extraction<\/a><\/li>\n<li id=\"menu-item-800\" class=\"menu-item-800  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=713\/#CustomLog\" aria-label=\"Creating Custom Log\">Creating Custom Log<\/a><\/li>\n<li id=\"menu-item-801\" class=\"menu-item-801  menu-item menu-item-type-custom menu-item-object-custom\"><a href=\"javascript:void(0);\" data-href=\"https:\/\/victorcoil.tech\/?page_id=713\/#Sentinel\" aria-label=\"Threat Visualization with Sentinel\">Threat Visualization with Sentinel<\/a><\/li>\n<\/ul><\/div>\n\t\t\t\t<div>\n\t\t\t\t\t<div class=\"gutenverse-nav-identity-panel\">\n\t\t\t\t\t\t<div class=\"gutenverse-nav-site-title\">\n\t\t\t\t\t\t\t<a aria-label=\"\" href=\"https:\/\/victorcoil.tech\" class=\"gutenverse-nav-logo\"><\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<button class=\"gutenverse-close-menu\" aria-label=\"\"><i aria-hidden=\"true\" class=\"fas fa-times\"><\/i><\/button>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div><\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"AzureVM\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Deploying an Azure Virtual Machine<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">This will be our main honeypot<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<p>This lab was inspired by Josh Madakor, whose content provided the initial idea and structure.<\/p>\n\n\n\n<div class=\"wp-block-group zeever-animate zeever-move-up zeever-delay-3 has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-32cee7d8 wp-block-group-is-layout-constrained\" style=\"padding-top:40px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-5 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Azure Link<\/h2>\n\n\n\n<p><a href=\"https:\/\/azure.microsoft.com\/en-us\/free\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/azure.microsoft.com\/en-us\/free\/<\/a><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-3 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Lab Brief Summary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deployed an Azure Virtual Machine to act as a honeypot.<\/li>\n\n\n\n<li>Used PowerShell to extract Windows Event Viewer metadata, forwarding to a third-party API for geolocation data.<\/li>\n\n\n\n<li>Set up Azure Sentinel (Microsoft Cloud SIEM) workbook to visualize global attack data (RDP Brute Force) on a world map, offering insights into attack magnitudes and locations.<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-style-customborderbottomhover zeever-animate zeever-move-up zeever-delay-1 has-black-background-color has-background is-layout-flow wp-block-column-is-layout-flow\" style=\"padding-top:50px;padding-right:40px;padding-bottom:50px;padding-left:40px\">\n<h2 class=\"wp-block-heading has-text-align-left has-zeever-primary-color has-text-color has-heading-3-font-size\" style=\"margin-top:20px;font-style:normal;font-weight:600\">Additional Links<\/h2>\n\n\n\n<p>API from this site will be needed.<\/p>\n\n\n\n<p><a href=\"https:\/\/ipgeolocation.io\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/ipgeolocation.io\/<\/a><\/p>\n\n\n\n<p>Script to use the API can be found below.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/joshmadakor1\/Sentinel-Lab\/blob\/main\/Custom_Security_Log_Exporter.ps1\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/joshmadakor1\/Sentinel-Lab\/blob\/main\/Custom_Security_Log_Exporter.ps1<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>Azure offers a free trial that gives you $200 in credits for services. This is more than enough for this lab.<\/p>\n\n\n\n<p>Navigate to the Azure link at the top to get started.<\/p>\n\n\n\n<p>Once you have set up your profile and are ready to begin, click on virtual machines under \u201cAzure services\u201d. If not there, click the search bar and type \u201cVirtual machines\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"534\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc4-1024x534.png\" alt=\"\" class=\"wp-image-715\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc4-1024x534.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc4-300x156.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc4-768x400.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc4.png 1055w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Once on the Virtual Machines page, click \u201cCreate,\u201d then \u201cAzure Virtual Machine.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"923\" height=\"706\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc5.png\" alt=\"\" class=\"wp-image-716\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc5.png 923w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc5-300x229.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc5-768x587.png 768w\" sizes=\"(max-width: 923px) 100vw, 923px\" \/><\/figure>\n\n\n\n<p>Below are the configurations I used for the virtual machine.<\/p>\n\n\n\n<p><strong>Resource Group<\/strong>: You\u2019ll have to create a new one; just click on \u201cCreate new\u201d and name it anything you want. I named it \u201c<strong>Honeypot_group<\/strong>\u201d.<\/p>\n\n\n\n<p><strong>Once the lab is complete and you have the results you wanted, delete the resource group to avoid additional charges.<\/strong><\/p>\n\n\n\n<p><strong>Virtual Machine Name:<\/strong> <strong>&#8220;honeypot-vm&#8221;<\/strong><\/p>\n\n\n\n<p>You can also name the Virtual machine anything you want.<\/p>\n\n\n\n<p><strong>Region: (US) East US<\/strong><\/p>\n\n\n\n<p>You can pick any Region you wish.<\/p>\n\n\n\n<p><strong>Image: Windows 11<\/strong><\/p>\n\n\n\n<p>I left everything else as the default.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"863\" height=\"763\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc6.png\" alt=\"\" class=\"wp-image-717\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc6.png 863w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc6-300x265.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc6-768x679.png 768w\" sizes=\"(max-width: 863px) 100vw, 863px\" \/><\/figure>\n\n\n\n<p>Here, I just did my first initial and last name for the username. But the password was strong. After you pick your username and password, click on \u201cReview and Create\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"938\" height=\"668\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc7.png\" alt=\"\" class=\"wp-image-718\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc7.png 938w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc7-300x214.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc7-768x547.png 768w\" sizes=\"(max-width: 938px) 100vw, 938px\" \/><\/figure>\n\n\n\n<p>Once you see that validation passed. Click on &#8220;Create&#8221; at the bottom left.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"805\" height=\"255\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc8.png\" alt=\"\" class=\"wp-image-719\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc8.png 805w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc8-300x95.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc8-768x243.png 768w\" sizes=\"(max-width: 805px) 100vw, 805px\" \/><\/figure>\n\n\n\n<p>The deployment-in-progress window will appear after clicking \u201cCreate\u201d. Just wait until it finishes; it can take a while.<\/p>\n\n\n\n<p>After a couple of minutes, just click on \u201cMicrosoft Azure\u201d on the top left to go back to your main dashboard. You will find your virtual machine here. <\/p>\n\n\n\n<p>Remember that this is a honeypot, so we need to configure network settings to make the Virtual Machine discoverable. Click on the virtual machine.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"428\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc9-1024x428.png\" alt=\"\" class=\"wp-image-720\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc9-1024x428.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc9-300x126.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc9-768x321.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc9.png 1078w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>On the left-hand side, click on &#8220;Networking&#8221;. Then click on the blue &#8220;Add inbound port rule&#8221; button.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"505\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc10-1024x505.png\" alt=\"\" class=\"wp-image-721\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc10-1024x505.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc10-300x148.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc10-768x379.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc10.png 1255w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>These are the configurations I did for the inbound rule. It\u2019s to allow any and all traffic into the machine. After configuring, create\/save the rule.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" width=\"561\" height=\"591\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc11.png\" alt=\"\" class=\"wp-image-722\" style=\"aspect-ratio:0.949238578680203;width:561px;height:auto\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc11.png 561w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc11-285x300.png 285w\" sizes=\"(max-width: 561px) 100vw, 561px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"LogMS\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Log Analytics and MS Defender for Cloud<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Setting up log analytics workspace and configuring Defender for cloud<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>Now we will set up Log Analytics and configure Microsoft Defender for Cloud<\/p>\n\n\n\n<p>In the search bar, type \u201cLog Analytics workspaces\u201d and click it.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"576\" height=\"319\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc12-1.png\" alt=\"\" class=\"wp-image-727\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc12-1.png 576w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc12-1-300x166.png 300w\" sizes=\"(max-width: 576px) 100vw, 576px\" \/><\/figure>\n\n\n\n<p>Inside the workspace, click \u201cCreate\u201d in the top left, as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"859\" height=\"579\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc13-1.png\" alt=\"\" class=\"wp-image-728\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc13-1.png 859w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc13-1-300x202.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc13-1-768x518.png 768w\" sizes=\"(max-width: 859px) 100vw, 859px\" \/><\/figure>\n\n\n\n<p>Make sure the proper Resource group is selected. Name the instance anything you want; here, I named it \u201cLog-Honeypot\u201d.<\/p>\n\n\n\n<p>Click on Create and Review. Once validation is complete, click on \u201cCreate\u201d at the bottom.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"832\" height=\"707\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc14-1.png\" alt=\"\" class=\"wp-image-729\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc14-1.png 832w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc14-1-300x255.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc14-1-768x653.png 768w\" sizes=\"(max-width: 832px) 100vw, 832px\" \/><\/figure>\n\n\n\n<p>Once done with that, search and click on &#8220;Microsoft Defender for Cloud&#8221;. <\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"587\" height=\"335\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc15.png\" alt=\"\" class=\"wp-image-730\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc15.png 587w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc15-300x171.png 300w\" sizes=\"(max-width: 587px) 100vw, 587px\" \/><\/figure>\n\n\n\n<p>On the left-hand side, scroll down until you see &#8220;Environment settings&#8221;.<\/p>\n\n\n\n<p>Turn on Microsoft Defender for Servers for the subscription and the log-honeypot workspace.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"711\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc16-1024x711.png\" alt=\"\" class=\"wp-image-731\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc16-1024x711.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc16-300x208.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc16-768x534.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc16.png 1140w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In the defender plans, turn on the Servers plan. Then save, the changes may take a bit. Make sure you do this for the \u201cAzure subscription 1\u201d; it could be named differently for you.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"466\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc17-1024x466.png\" alt=\"\" class=\"wp-image-732\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc17-1024x466.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc17-300x137.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc17-768x350.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc17.png 1175w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In the Data collection, click on all events, then save.<\/p>\n\n\n\n<p>There was no data collection at the Azure subscription level, only at the workspace level.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"1008\" height=\"501\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc18.png\" alt=\"\" class=\"wp-image-733\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc18.png 1008w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc18-300x149.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc18-768x382.png 768w\" sizes=\"(max-width: 1008px) 100vw, 1008px\" \/><\/figure>\n\n\n\n<p>Go back to the log analytics workspace page. Click on the Log-Honeypot workspace. Then click on the Virtual Machine.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"996\" height=\"514\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-After19.png\" alt=\"\" class=\"wp-image-734\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-After19.png 996w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-After19-300x155.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-After19-768x396.png 768w\" sizes=\"(max-width: 996px) 100vw, 996px\" \/><\/figure>\n\n\n\n<p>After clicking on the Virtual Machine, click on \u201cConnect\u201d. This allows the Virtual Machine logs to be sent to this log analytics workspace.<\/p>\n\n\n\n<p>Navigate back to your dashboard and click on your virtual machine again. You can connect with it by clicking the connect button.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"583\" height=\"248\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc19.png\" alt=\"\" class=\"wp-image-735\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc19.png 583w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc19-300x128.png 300w\" sizes=\"(max-width: 583px) 100vw, 583px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"VMScript\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Script and VM FW Configuration<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Turning off the VM Firewalls and setting up the script to collect geo-location data for any failed remote desktop connections<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>After clicking on the connect button, you should be able to see the IP address of the Virtual machine. We can connect to it using Remote Desktop on our actual home computer.<\/p>\n\n\n\n<p>Search and click on &#8220;Remote Desktop&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"451\" height=\"672\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc20-1.png\" alt=\"\" class=\"wp-image-755\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc20-1.png 451w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc20-1-201x300.png 201w\" sizes=\"(max-width: 451px) 100vw, 451px\" \/><\/figure>\n\n\n\n<p>Type in the virtual machine&#8217;s IP address and use the administrator username you created when the Virtual Machine was created. Click \u201cConnect\u201d. It will ask you for the password.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"401\" height=\"489\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc21-1.png\" alt=\"\" class=\"wp-image-756\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc21-1.png 401w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc21-1-246x300.png 246w\" sizes=\"(max-width: 401px) 100vw, 401px\" \/><\/figure>\n\n\n\n<p>After providing the proper credentials, click \u201cYes\u201d when the certificate warning appears.<\/p>\n\n\n\n<p>You should be connected to the virtual machine now.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"609\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc22-1-1024x609.png\" alt=\"\" class=\"wp-image-757\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc22-1-1024x609.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc22-1-300x178.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc22-1-768x456.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc22-1.png 1427w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Inside the virtual machine, go to this GitHub and download the script. There will be a \u201cDownload raw file\u201d button on the top right of GitHub.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/joshmadakor1\/Sentinel-Lab\/blob\/main\/Custom_Security_Log_Exporter.ps1\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/joshmadakor1\/Sentinel-Lab\/blob\/main\/Custom_Security_Log_Exporter.ps1<\/a><\/p>\n\n\n\n<p>I also created an account on the website below, as the website&#8217;s API will be used with the script.<\/p>\n\n\n\n<p><a href=\"https:\/\/ipgeolocation.io\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/ipgeolocation.io\/<\/a><\/p>\n\n\n\n<p>In the virtual machine, search for \u201cPowerShell ISE.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"458\" height=\"674\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc23-1.png\" alt=\"\" class=\"wp-image-758\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc23-1.png 458w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc23-1-204x300.png 204w\" sizes=\"(max-width: 458px) 100vw, 458px\" \/><\/figure>\n\n\n\n<p>In PowerShell, click on \u201cFile > Open\u201d. Then navigate to where the script was downloaded. For me, it was in the \u201cDownloads\u201d Folder.<\/p>\n\n\n\n<p>Replace the API Key with your API key. (That isn&#8217;t my API key. Please don&#8217;t store API keys in public places.)<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"705\" height=\"320\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc24-1.png\" alt=\"\" class=\"wp-image-759\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc24-1.png 705w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc24-1-300x136.png 300w\" sizes=\"(max-width: 705px) 100vw, 705px\" \/><\/figure>\n\n\n\n<p>Once you replace the API. Save by clicking on CTRL+S.<\/p>\n\n\n\n<p>The script is ready. But one last step, we need to turn off the firewalls on the VM. On the virtual machine, search for &#8220;Firewall&#8221; and click on &#8220;Windows Defender Firewall&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"411\" height=\"246\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc25-1.png\" alt=\"\" class=\"wp-image-760\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc25-1.png 411w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc25-1-300x180.png 300w\" sizes=\"(max-width: 411px) 100vw, 411px\" \/><\/figure>\n\n\n\n<p>With Windows Defender Firewall open, click on \u201cAdvanced Settings\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img decoding=\"async\" width=\"835\" height=\"443\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc26-1.png\" alt=\"\" class=\"wp-image-761\" style=\"aspect-ratio:1.8848758465011286;width:835px;height:auto\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc26-1.png 835w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc26-1-300x159.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc26-1-768x407.png 768w\" sizes=\"(max-width: 835px) 100vw, 835px\" \/><\/figure>\n\n\n\n<p>Then click on &#8220;Windows Defender Firewall Properties&#8221;. (Last check, please make sure this is on the Virtual Machine and not your real computer)<\/p>\n\n\n\n<p>On all 3 profiles, turn off the Firewall state.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"753\" height=\"514\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc27-1.png\" alt=\"\" class=\"wp-image-762\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc27-1.png 753w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc27-1-300x205.png 300w\" sizes=\"(max-width: 753px) 100vw, 753px\" \/><\/figure>\n\n\n\n<p>With all three profiles off now, close out from the firewall windows. Then run the script using the green arrow in PowerShell.<\/p>\n\n\n\n<p>You can try pinging the virtual machine from your real PC. If it pings successfully, then everything works, and it can be found by other computers. It\u2019s just a matter of waiting for the threat actors.<\/p>\n\n\n\n<p>If the ping fails, make sure you look that all 3 profiles are off. Look over the Virtual machine&#8217;s network settings and make sure the configurations are right.<\/p>\n\n\n\n<p>It may take a while to see attempted brute-force attacks. (It took me 4 hours)<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"393\" height=\"103\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc28-1.png\" alt=\"\" class=\"wp-image-763\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc28-1.png 393w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc28-1-300x79.png 300w\" sizes=\"(max-width: 393px) 100vw, 393px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"CustomLog\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Creating a Custom Log<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Creating a Custom log to parse for geo data<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>Let&#8217;s now make a custom log for our Sentinel Workbook.<\/p>\n\n\n\n<p>Back to the Azure dashboard, click on your log analytics workspace<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"845\" height=\"306\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc29-1.png\" alt=\"\" class=\"wp-image-764\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc29-1.png 845w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc29-1-300x109.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc29-1-768x278.png 768w\" sizes=\"(max-width: 845px) 100vw, 845px\" \/><\/figure>\n\n\n\n<p>Click on &#8220;Tables&#8221; on the left side, then click on \u201cCreate\u201d. Then \u201cNew Custom log (MMA-based)\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"690\" height=\"458\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc30-1.png\" alt=\"\" class=\"wp-image-765\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc30-1.png 690w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc30-1-300x199.png 300w\" sizes=\"(max-width: 690px) 100vw, 690px\" \/><\/figure>\n\n\n\n<p>In the Virtual Machine, navigate to the file shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"870\" height=\"568\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc31-1.png\" alt=\"\" class=\"wp-image-766\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc31-1.png 870w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc31-1-300x196.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc31-1-768x501.png 768w\" sizes=\"(max-width: 870px) 100vw, 870px\" \/><\/figure>\n\n\n\n<p>Open the file, and copy the entire file. <\/p>\n\n\n\n<p>On your ACTUAL machine, just create a .txt file on your desktop and paste the logs into it. The virtual machine and your machine are sharing the clipboard.<\/p>\n\n\n\n<p>I named mine \u201cFailedRDPSample.txt\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"766\" height=\"825\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc32-1.png\" alt=\"\" class=\"wp-image-767\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc32-1.png 766w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc32-1-279x300.png 279w\" sizes=\"(max-width: 766px) 100vw, 766px\" \/><\/figure>\n\n\n\n<p>Select the file, then click Next.<\/p>\n\n\n\n<p>For the &#8220;Record delimiter&#8221;, click next if the logs seem fine.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"754\" height=\"580\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-SC33-1.png\" alt=\"\" class=\"wp-image-768\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-SC33-1.png 754w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-SC33-1-300x231.png 300w\" sizes=\"(max-width: 754px) 100vw, 754px\" \/><\/figure>\n\n\n\n<p>For the \u201cCollection Path\u201d, put the path of where the \u201cfailed_rdp.log\u201d file is located INSIDE of the Virtual Machine. For me, it was \u201cC:\\ProgramData\\failed_rdp.log\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"818\" height=\"468\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc34-1.png\" alt=\"\" class=\"wp-image-769\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc34-1.png 818w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc34-1-300x172.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc34-1-768x439.png 768w\" sizes=\"(max-width: 818px) 100vw, 818px\" \/><\/figure>\n\n\n\n<p>Pick a name for the custom log then click next.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"758\" height=\"362\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc35-1.png\" alt=\"\" class=\"wp-image-770\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc35-1.png 758w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc35-1-300x143.png 300w\" sizes=\"(max-width: 758px) 100vw, 758px\" \/><\/figure>\n\n\n\n<p>After that, review and then click on Create.<\/p>\n\n\n\n<p>You will have to wait a little while for the logs to sync.<\/p>\n\n\n\n<p>You can go to the logs on the left-hand side and try to query the table you made or the security event, as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"605\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc36-1-1024x605.png\" alt=\"\" class=\"wp-image-771\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc36-1-1024x605.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc36-1-300x177.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc36-1-768x454.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc36-1.png 1069w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Below is when the logs start to appear.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"593\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc37-1-1024x593.png\" alt=\"\" class=\"wp-image-772\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc37-1-1024x593.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc37-1-300x174.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc37-1-768x445.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc37-1.png 1094w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-container-core-group-is-layout-22177b6a wp-block-group-is-layout-constrained\" style=\"padding-top:100px;padding-bottom:100px\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<div id=\"Sentinel\" class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading has-text-align-left is-style-lineseparator zeever-animate zeever-move-right zeever-delay-1 has-zeever-primary-color has-text-color has-heading-2-font-size\">Sentinel Workbook<\/h2>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left zeever-animate zeever-move-right zeever-delay-3 has-zeever-secondary-color has-text-color has-tiny-font-size\" style=\"font-style:normal;font-weight:500;text-transform:uppercase\">Setting up the workbook to visualize the logs<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\"><\/div>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-zeever-bgsoft-background-color has-background is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>Now, let us set up Sentinel and create a workbook within it. Search and click on \u201cMicrosoft Sentinel\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"779\" height=\"307\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc38.png\" alt=\"\" class=\"wp-image-773\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc38.png 779w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc38-300x118.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc38-768x303.png 768w\" sizes=\"(max-width: 779px) 100vw, 779px\" \/><\/figure>\n\n\n\n<p>Then click on &#8220;Create&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"398\" height=\"180\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc39.png\" alt=\"\" class=\"wp-image-774\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc39.png 398w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc39-300x136.png 300w\" sizes=\"(max-width: 398px) 100vw, 398px\" \/><\/figure>\n\n\n\n<p>Your Log Workspace should already be there; click on it.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"566\" height=\"368\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc40.png\" alt=\"\" class=\"wp-image-775\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc40.png 566w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc40-300x195.png 300w\" sizes=\"(max-width: 566px) 100vw, 566px\" \/><\/figure>\n\n\n\n<p>On the left-hand side, click on \u201cWorkbooks\u201d. Then, at the top, click on \u201cAdd Workbook\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"739\" height=\"510\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc41.png\" alt=\"\" class=\"wp-image-776\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc41.png 739w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc41-300x207.png 300w\" sizes=\"(max-width: 739px) 100vw, 739px\" \/><\/figure>\n\n\n\n<p>Inside of the newly created workbook, click on &#8220;Edit&#8221; on the top left.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"572\" height=\"167\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc42.png\" alt=\"\" class=\"wp-image-777\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc42.png 572w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc42-300x88.png 300w\" sizes=\"(max-width: 572px) 100vw, 572px\" \/><\/figure>\n\n\n\n<p>Scroll to the bottom and click on &#8220;Add&#8221;. Then &#8220;Add query&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"171\" height=\"234\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc43.png\" alt=\"\" class=\"wp-image-778\"\/><\/figure>\n\n\n\n<p>This is the query I used.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vcFRDP_CL\n\n| extend username = extract(@\"username:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;timestamp = extract(@\"timestamp:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;latitude = extract(@\"latitude:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;longitude = extract(@\"longitude:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sourcehost = extract(@\"sourcehost:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;state = extract(@\"state:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;label = extract(@\"label:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;destination = extract(@\"destinationhost:(&#91;^,]+)\", 1, RawData),\n\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;country = extract(@\"country:(&#91;^,]+)\", 1, RawData)\n\n| where destination != \"samplehost\"\n\n| where sourcehost != \"\"\n\n| summarize event_count=count() by latitude, longitude, sourcehost, label, destination, country<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>Run the query, and for \u201cVirtualization\u201d, click on the map, and change the size to full.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"406\" height=\"156\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc44.png\" alt=\"\" class=\"wp-image-779\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc44.png 406w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc44-300x115.png 300w\" sizes=\"(max-width: 406px) 100vw, 406px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"499\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc45-1024x499.png\" alt=\"\" class=\"wp-image-780\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc45-1024x499.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc45-300x146.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc45-768x375.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc45-1536x749.png 1536w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc45.png 1583w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Below are some of the configurations I changed. Everything else was kept as the default.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" width=\"435\" height=\"782\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc46.png\" alt=\"\" class=\"wp-image-781\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc46.png 435w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc46-167x300.png 167w\" sizes=\"(max-width: 435px) 100vw, 435px\" \/><\/figure>\n\n\n\n<p>Click on &#8220;Apply&#8221;, and &#8220;Save and Close&#8221; once done. On the top left, click on \u201cDone Editing\u201d.<\/p>\n\n\n\n<p>That&#8217;s it! Now just wait for the results.<\/p>\n\n\n\n<p>Below are the results after leaving the virtual machine on for 24 hours. Close to 14 thousand failed attempts.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"649\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc47-1024x649.png\" alt=\"\" class=\"wp-image-782\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc47-1024x649.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc47-300x190.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc47-768x487.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc47.png 1245w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I also set up a table below the map to see what username the threat actor tried to log in with. As well as the IP Address.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"453\" src=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc48-1024x453.png\" alt=\"\" class=\"wp-image-783\" srcset=\"https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc48-1024x453.png 1024w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc48-300x133.png 300w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc48-768x340.png 768w, https:\/\/victorcoil.tech\/wp-content\/uploads\/2023\/10\/azure-sc48.png 1241w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This is where IP Blocks can begin to be coordinated. <\/p>\n\n\n\n<p>Again, I only had this virtual machine up for 24 hours. If I were to keep it up longer, there is no doubt in my mind that there would be many more attempts from other countries beyond the 4 listed on the map.<\/p>\n\n\n\n<p>This lab shows that as soon as a machine goes online, it begins to be enumerated and attacked.<\/p>\n\n\n\n<p>As well as the importance of not having basic passwords and user accounts.<\/p>\n\n\n\n<p>This concludes the lab.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Deploying an Azure Virtual Machine This will be our main honeypot This lab was inspired by Josh Madakor, whose content provided the initial idea and structure. Azure Link https:\/\/azure.microsoft.com\/en-us\/free\/ Lab Brief Summary Additional Links API from this site will be needed. https:\/\/ipgeolocation.io\/ Script to use the API can be found below. https:\/\/github.com\/joshmadakor1\/Sentinel-Lab\/blob\/main\/Custom_Security_Log_Exporter.ps1 Azure offers a free trial that gives you $200 in credits for services. This is more than enough for this lab. Navigate to the Azure link at the top to get started. Once you have set up your profile and are ready to begin, click on virtual machines<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-713","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/713","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=713"}],"version-history":[{"count":23,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/713\/revisions"}],"predecessor-version":[{"id":1151,"href":"https:\/\/victorcoil.tech\/index.php?rest_route=\/wp\/v2\/pages\/713\/revisions\/1151"}],"wp:attachment":[{"href":"https:\/\/victorcoil.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=713"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}